4. Firewalling Software

Contents of this section

4.1 Available packages

Strict firewalling does not need any software except the Linux kernel and the base networking packages (inetd, telnetd and telnet, ftpd and ftp). But, a firewall like this is extremely restrictive and not very useful.

So, software packages have been made to make a firewall more useful. The one that I would like to examine in most detail is a package called "socks" which is a proxy server. But, there are two other programs that you might want to keep in mind. I would like to give you a short review of them now.

4.2 The TIS Firewall Toolkit

TIS has put out a collection of programs designed to facilitate firewalling. The programs do basically the same thing as the Socks package, but with a different design strategy. Where Socks has one program that covers all Internet transactions, TIS has provided one program for each utility that wishes to use the firewall.

To better contrast the two, lets take the example of World Wide Web and Telnet access. With Socks, you set up one configuration file and one daemon. Through this file and daemon, both Telnet and WWW are enabled, as well as any other service that you have not disabled.

With the TIS toolkit, you set up one daemon for each WWW and Telnet, as well as configuration files for each. After you have done this, other Internet access is still prohibited until explicitly set up. If a daemon for a specific utility has not been provided (like talk), there is a "plug-in" daemon, but it is neither as flexible, nor as easy to set up, as the other tools.

This might seem a minor difference, but it makes a major difference. Socks allows you to be sloppy. With a poorly set up Socks server, someone from the inside could gain more access to the Internet than was originally intended. With the TIS toolkit, the people on the inside have only the access the system administrator wants them to have.

Socks is easier to set up, easier to compile and allows for greater flexibility. The TIS toolkit is more secure if you want to regulate the users inside the protected network. Both provide absolute protection from the outside.

4.3 TCP Wrapper

TCP wrapper is not a firewalling utility, but it allows for many of the same effects. Using TCP wrapper, you can control who has access to your machine and to what services as well as keep logs of the connections. It does basic forgery detection also.

TCP wrapper is not covered more extensively here because of a couple of reasons.

• It is not a real firewall.
• To use it, you have to be connected to the Internet, thus you have to have an IP address.
• It only controls the machine it is installed on, and is thus not good for a network. Firewalls can protect every machine of every architecture. TCP wrapper won't work on Macintoshes and MS Windows machines.

4.4 Ipfw and Ipfw Admin

Next Chapter, Previous Chapter

Table of contents of this chapter, General table of contents

Top of the document, Beginning of this Chapter